COPPA Law FAQ

The 2013 Children’s Online Privacy Protection updates are now in effect. If you run a website, ad network or plugin – whether it targets children or not – take a minute to cozy up with the new COPPA rules. Not doing so could mean a multimillion dollar FTC fine and possible banishment from the online marketing industry.

Why Does COPPA Exist & What It Is Meant To Prevent?

In the words of the Federal Trade Commission, “The Children’s Online Privacy Protection Act (COPPA) puts parents in control.” Bluntly speaking: COPPA is an online privacy law that protects kids from pedophiles and unscrupulous online marketers.

What Is COPPA (In a 150 words or less, Please)?

COPPA is a United States law that makes it illegal for commercial  websites, plugins or ad networks to collect identifying information about kids under 13 without parental consent. The law demands that information-collecting companies:

1. Maintain stringent security measures to keep online personal data safe;
2. Get verifiable parental consent before digitally collecting personal information from children under 13;
3. Publish/post conspicuous, easy-to-understand privacy policies;
4. Implement a system which notifies parents and guardians of policy and procedure changes;
5. Provide a way for parents/guardians to opt-out or delete their child’s information at any time.

What if you’ve got a tricky kid who is able to fake parental consent? Or worse, what if an intermediary finds a way to impersonate a child’s guardian? Would I be liable?

Kids are technologically savvy. So, what should a website operator do if a child is responsible for faking parental consent? Or worse yet, what if a criminal figures out a way to mimic parental consent? According to the FTC, all operations should choose a method “reasonably designed in light of available technology to ensure that the person giving consent is the child’s parent.”

If you’re unsure about FTC-approved methods for verifying consent under COPPA, get in touch with an FTC lawyer who will help you find the best option for your business.

What, Exactly, Is Considered ‘Personal Information’ Under COPPA Regulations?

Under COPPA, the following information items are considered personal information:

1. Full name
2. Name or physical address, including street name and city or town
3. Online contact address – email, IM, VoIP, video chat
4. Screen name or user name when used as an online moniker
5. Telephone number
6. Social security number
7. A persistent identifier (cookie) that can track across multiple websites.
8. Media file containing child’s image or voice
9. Geolocation information
10. Any information collected about child or their parents that is combined with any other identifying PII.

What happens if a kid lies about his or her age? Can I still be held responsible for violating COPPA?

Generally speaking, authorities don’t hold operators responsible if minors lie about their age. After all, it’s not the responsibility of developers to parent the country’s kids. That said, the latest COPPA update includes the words, “actual knowledge.” So, if you do have knowledge (whether you wanted it or not) of underage users age-fibbing on your platform, you may unwittingly summon the wrath of the FTC.

What is the main change in the latest COPPA update?

Several changes were implemented in the latest COPPA update. The biggest adjustment is that more businesses are now subject to the law – not just website operators. So, if you’re an app developer or an ad network entrepreneur, COPPA now officially applies to you, too.

List of Who Must Follow COPPA Rules

Still not sure if COPPA concerns you. Below is a categorical list of what types of websites and companies must adhere to COPPA rules.

1. Commercial websites directed at children under 13 that collects personal information;
2. Commercial websites directed at children under 13 that allows third-party to collect personal information;
3. Commercial websites directed to a general audience, but you have “actual knowledge” that minors under 13 are using your platform.
4. Ad-network or plugin that has actual knowledge of collecting information from users of websites “directed to children under 13.” (mobile apps, internet-enabled gaming platforms, plugins, ad networks, geo-location services, VoIP services.)

What does the FTC mean when they say “sites directed at children”?

One of the most important aspects of COPPA is the vaguely worded “directed at children” provision. Vague because one person’s Harry Potter is another person’s Mephistopheles. That said, the FTC outlined what factors are considered when examining a COPPA-related case:

1. Subject matter;
2. Visual and audio content;
3. Use of animated characters or other child oriented activities and incentives;
4. Age of models;
5. Presence of child celebrities or celebrities who appeal to kids;
6. Ad services directed towards children;
7. “And other reliable evidence about the age of the actual intended audience.”

What constitutes ‘collection’ under the new COPPA rules?

Another piece of the COPPA puzzle is the concept of “collection.” Since data can be culled in myriad ways, it’s essential to understand that “collection” under COPPA is multifaceted. Under the law, the following acts constitute collection:

1. “Requesting, prompting or encouraging” information submission — even if optional;
2. Public information (forum or open chat) unless all personal and identifying fragments are completely stripped before the message goes public; and
3. “Passively track a child online.”

Moreover, if a third-party collects personal information via a plugin on your site, you’re responsible for complying with COPPA, even if you don’t personally collect information.

What about privacy policies? Does COPPA mention anything about them?

To comply with COPPA, your website must have a rock-solid privacy policy that details your procedures and addresses third-party systems used on your site. Make sure the link is accessible in your website’s footer and be sure it is in close proximity to any “contact” or “sign-up” forms or modules.

What constitutes ‘direct notice’ under COPPA?

Another COPPA provision is parental direct notice. Essentially, you must give parents/guardians “direct notice” before collecting their kids’ personally identifiable information, and it must be a straightforward communication.

Acceptable methods include:

1. Consent form that is faxed back, mailed back or electronically scanned back;
2. Use account card (cc, debit) that “provides notification of each separate transaction to the account holder;”
3. Video conference with a “trained personnel;”
4. Toll-free phone call to a “trained personnel.”

What is the E-mail Plus COPPA program?

If you only use minors’ information for internal purposes, the “E-mail Plus” program is available to you. It’s a less rigorous parental notification system with the FTC stamp of approval. The E-mail Plus program works thusly:

1. Send an email to parent/guardian and then  respond with consent;
2. Email, phone or letter the parents a confirmation of the exchange;
3. Parent can revoke at any time;
4. If you make changes to your methods or policies, must inform parents.

The new COPPA rules include changes to ongoing parental rights. Can you explain what that means?

Since the goal of the Children’s Online Privacy Protection Act is to give parents control over how their children’s information is collected and stored, it follows that parents and guardians, under the law, are granted the right to learn about what data a company is holding on their child, in addition to being able to delete it. The law specifically grants parents the right to:

1. Review their kids’ information at any time;
2. Revoke consent and refuse collection of further information collection;
3. Delete their child’s information.

What standards must I meet to comply with COPPA’s security measure provision?

“COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children. Minimize what you collect in the first place.”

The above is advice lifted directly from the FTC’s website. So while they don’t specifically outline a data security bar which must be met, they do expect operations to have a fail-proof plan in place.

The simple rule of thumb is this: If your security measures don’t work, they’re not good enough.

Are there any instances when one doesn’t have to get parental consent?

Yes. Below is a chart created by the FTC outlining the only instances when a website operator, developer or ad network doesn’t have to collect parental consent. Keep in mind that the kind of information you may collect under each exception is narrow.  Also, if you collect information under one of these exceptions, you can’t use it or disclose it for any other purpose.

Reason you may collect information without parental consent	The kind of information you may collect	Limits on how you may use the information	If you collect information under this exception, what you must tell parents in your direct notice
To get verifiable parental consent	child’s and parent’s name and online contact information	You must delete their contact information if you don’t get consent within a reasonable time.
To give voluntary notice to a parent about their child’s participation on a site or service that doesn’t collect personal information	parent’s online contact information	You can’t otherwise collect, use, or disclose the information.	You must: tell parents you collected their online contact information to let them know about their child’s activities on a site or service that doesn’t collect personal information; tell them their online contact information won’t be used for any other purpose; tell them they may refuse their child’s participation and require that you delete their contact information; and hyperlink to your privacy policy.
To respond directly to a child’s specific one-time request (for example, if the child wants to enter a contest)	child’s online contact information	You can’t use the information to contact the child again and you must delete it after you respond to the request.
To respond directly more than once to a child’s specific request (for example, if the child want to receive a newsletter)	child’s and parent’s online contact information		You must: tell parents you collected their online contact information to let them know their child has asked for multiple online communications; tell parents you collected their child’s online contact information to provide the multiple communications they asked for; tell parents the online contact information won’t be used for any other purpose and won’t be disclosed or combined with other information; tell parents that if they don’t opt out, you may use the child’s online contact information for that purpose; and hyperlink to your privacy policy.
To protect a child’s safety	child’s and parent’s name and online contact information		You must: tell parents you collected the names and contact information to protect a child’s safety; tell parents the information won’t be used or disclosed for any other purpose; tell parents they may refuse to permit the use of the contact information and require you to delete it; and hyperlink to your privacy policy
To protect the security or integrity of your site or service, to take precautions against liability, to respond to judicial process, or — as permitted by law — to provide information to law enforcement	child’s name and online contact information	You can’t use the information to contact a specific person, conduct behavioral advertising, or amass a profile on a person.You can’t use personal information other than a persistent identifier for this exception.
To provide support for internal operations of your site or service.  This includes:  maintaining or analyzing the functioning of the site, performing network communications, authenticating users of the site or personalizing content, serving contextual ads or frequency capping, protecting the security or integrity of the user or the site legal or regulatory compliance, or fulfilling a child’s request under the one-time contact or multiple contact exceptions.	persistent identifier
If you have actual knowledge that a person’s information was collected through a child-directed site, but their previous registration indicates the person is 13 or over This exception applies only if: you collect only a persistent identifier and no other personal information; the person affirmatively interacts with your site or service to trigger the collection; and you have already conducted an age-screen of the person indicating he or she  is 13 or over.	persistent identifier	You can’t collect other personal information.